25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Steve Alder

Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

OCR Seeks Comment on Recognized Security Practices and the Sharing of HIPAA Settlements
Apr07

OCR Seeks Comment on Recognized Security Practices and the Sharing of HIPAA Settlements

The Department of Health and Human Services’ Office for Civil Rights has released a Request for information (RFI) related to two outstanding requirements of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). The HITECH Act, as amended in 2021 by the HIPAA Safe Harbor Act, requires the HHS consider the security practices that have been implemented by HIPAA-regulated entities when considering financial penalties and other remedies to resolve potential HIPAA violations discovered during investigations and audits. The aim of the HIPAA Safe Harbor Act is to encourage HIPAA-regulated entities to implement cybersecurity best practices. The reward for organisations that have followed industry-standard security best practices for the 12 months prior to a data breach occurring is lower financial penalties for data breaches and less scrutiny by the HHS . Another outstanding requirement that dates back to when the HITECH Act was signed into law, is for the HHS to share a percentage of the civil monetary penalties (CMPs) and settlement payments...

Read More
Audit of the Connecticut Health Insurance Exchange Uncovers 44 Unreported Data Breaches
Apr06

Audit of the Connecticut Health Insurance Exchange Uncovers 44 Unreported Data Breaches

An audit of Connecticut’s Health Insurance Exchange, Access Health CT, by the state auditor has revealed Access Health CT suffered 44 data breaches over the last 3.5 years that had not been fully reported and that sufficient steps had not been taken to safeguard sensitive data. The Connecticut Health Insurance Exchange acts as a health insurance marketplace to reduce the number of state residents who do not have health insurance and to facilitate applications by low-income individuals for Medicaid coverage, as required under The Affordable Care Act. While Access Health had reported the data breaches to the Department of Health and Human Services, as required by HIPAA, and the state attorney general had been notified, the breaches had not been reported to the state auditor and comptroller. Under state law, the Connecticut Health Insurance Exchange is required to notify the Auditors of Public Accounts and the State Comptroller promptly when a security breach is discovered. The majority of the data breaches were small incidents, with most of the breaches (34) involving a Hampton,...

Read More

The PATCH Act Introduced to Improve Medical Device Cybersecurity

A bipartisan pair of senators have introduced the Protecting and Transforming Cyber Health Care (PATCH) Act which aims to improve the security of medical devices. Vulnerabilities are often identified in medical devices that could potentially be exploited by threat actors to change the functionality of the devices, render them inoperable, or to allows the devices to be used as a springboard for more extensive attacks on healthcare networks. Over the course of the pandemic, cyberattacks on healthcare organizations have increased, and medical devices and the networks to which they connect have been affected by ransomware attacks. These attacks have affected hospitals, patients, and the medical device industry. U.S. Senators Bill Cassidy, M.D. (R-LA) and Tammy Baldwin (D-WI) introduced the PATCH Act to ensure that the U.S. healthcare system’s cyber infrastructure remains safe and secure. The PATCH Act will update the Federal Food, Drug, and Cosmetic Act to require all premarket submissions for medical devices to include details of the cybersecurity protections that have been...

Read More
Differences Between Small and Large Healthcare Organizations on Security
Apr04

Differences Between Small and Large Healthcare Organizations on Security

A recent survey of healthcare providers by Software Advice provides insights into healthcare data breaches, their root causes, and the different security practices at small and large healthcare providers. The survey was conducted on 130 small practices with 5 or fewer licensed providers and 129 large practices with six or more providers to understand the security issues they face and the measures each group has taken to protect against cyberattacks and data breaches. Across both groups of healthcare providers, more than half store more than 90% of patient data digitally, such as patient records, medical histories, and billing records. While digital records are more efficient, there is a risk that hackers will be able to gain access to patient information. Hackers tend to target larger practices rather than small practices, based on the number of reported data breaches. 48% of large healthcare providers said they had experienced a data breach in the past, and 16% said they had suffered a breach in the past 12 months. One in four small practices had experienced a breach in the past...

Read More
Ransomware Gangs Claim Health Plan and Healthcare Provider Attacked
Apr01

Ransomware Gangs Claim Health Plan and Healthcare Provider Attacked

Partnership Health Plan of California Recovering from Suspected Ransomware Attack The Fairfield, CA-based nonprofit managed care health plan, Partnership Health Plan of California (PHC), has suffered a cyberattack that has taken its IT systems out of action for more than a week. PHC started notifying regional healthcare clinics on March 21, 2022, that its IT systems were disrupted, along with its website and phone lines and that efforts were underway to restore its systems. A timeline for when IT systems would likely be restored was not provided. PHC did not state in its notifications what caused the outage, but it appears to have been a ransomware attack by the Hive ransomware operation. The Hive ransomware gang claimed responsibility for the cyberattack on its clear web and dark web sites and said 400 gigabytes of data was exfiltrated from PHC systems that included 850,000 unique records of name, SSNs, dates of birth, addresses, and other information. That claim has since been removed. PHC has yet to confirm whether ransomware was used and the extent to which plan members’ data...

Read More
x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist